---
title: Unsafe HTML
slug: Web/Unsafe_HTML
---

<p>This page contains various nasty snippets of HTML that are expected to be caught as "unsafe".</p>

<p>
  Much of the inspiration for this comes from:
  <a href="https://github.com/payloadbox/xss-payload-list/blob/master/README.md">
    https://github.com/payloadbox/xss-payload-list
  </a>
</p>

<br \x20onerror="javascript:alert(1)" />

<div style="x:\xE2\x80\x85expression(javascript:alert(1)">

<a href="\x02javascript:javascript:alert(1)" id="fuzzelement1">test</a>

<iframe src="https://www.peterbe.com/"></iframe>

<iframe src="//evil.com/"></iframe>

<p>Here's a link that contains the string <code>:JavaScript</code> within the <code>href</code>
attribute:<br>
  <a href="https://wiki.mozilla.org/JavaScript:New_to_SpiderMonkey">
    A beginner's guide to SpiderMonkey, Mozilla's JavaScript engine</a>
</p>

<ul OnMouseOver="alert('xss')">
  <li>I'm</li>
  <li>sneaky</li>
</ul>

<script>alert(1)</script>

<style>
  * { background-image: url(/api/v1/settings);}
</style>
